cbcvebase.
CVE-2025-61882
published 2025-10-05

CVE-2025-61882: Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2025-10-27
Exploited in the wild
EPSS
99.72%
100.0th percentile
Vulnerability in the Oracle Concurrent Processing product of Oracle E-Business Suite (component: BI Publisher Integration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Concurrent Processing. Successful attacks of this vulnerability can result in takeover of Oracle Concurrent Processing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Affected

2 ranges
VendorProductVersion rangeFixed in
oracleconcurrent_processing12.2.3 – 12.2.14
oracle_corporationoracle_concurrent_processing12.2.3 – 12.2.14

Detection & IOCsextracted from sources · hover to see the quote

urllimewire[.]com
filenameWindows screensaver file (trojan)
  • CVE-2025-61882 exploitation in Oracle E-Business Suite (BI Publisher Integration component) began as early as July/August 2025, initially by the Clop ransomware gang, with exploitation occurring very shortly after public disclosure — monitor for unauthenticated HTTP requests targeting Oracle EBS endpoints.
  • After exploiting CVE-2025-61882, threat actors deployed multi-stage web shells related to the SAGE* infection chain — hunt for web shell artifacts on Oracle EBS servers.
  • CVE-2025-61882 exploitation was linked to a large-scale campaign aiming to extort executives — correlate Oracle EBS exploitation alerts with subsequent executive-targeted extortion communications.
  • The initial public disclosure of CVE-2025-61882 occurred via the Scattered LAPSUS$ Hunters blog, which published exploit scripts — monitor for use of those PoC scripts against Oracle EBS instances.
  • In October 2025, Clop began emailing impacted businesses after CVE-2025-61882 exploitation — treat Clop extortion emails as a post-exploitation indicator for Oracle EBS compromise.
  • ·Affected Oracle EBS versions are 12.2.3 through 12.2.14; the vulnerability is in the BI Publisher Integration component of Oracle Concurrent Processing and allows unauthenticated remote code execution over HTTP (CVSS 9.8).
  • ·A separate but related Oracle zero-day (CVE-2025-61884) was also disclosed after ShinyHunters leaked a PoC on Telegram; it is unclear whether ShinyHunters successfully exploited it for data theft — treat both CVEs as part of the same Oracle EBS attack surface.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.